Microsoft warns of Visual Studio 2005 flaw

The Microsoft software used by programmers to develop web services is suffering from a serious zero-day vulnerability that is being actively exploited to execute remote code, the software giant announced in an advisory late Tuesday.

Visual Studio 2005 contains a flawed WMI Object Broker ActiveX control that is exploitable by a malicious website viewed on Internet Explorer (IE), vulnerability reporting firm Secunia said today in an advisory. The company rated the bug "extremely critical," its most severe rating.

"An attacker who successfully exploited this vulnerability could take complete control of the affected system," the Microsoft advisory says. "In a web-based attack scenario, an attacker would host a website that exploits this vulnerability."

However, in what the Redmond, Wash.-based company calls "mitigating factors," for the exploit to work, a user would need to follow a phishing link to reach the malicious website.

Users also are presumably safe if they are running IE 7 because the just-released web browser upgrade turns off the affected ActiveX control by default.

The vulnerability remains unpatched, but Microsoft said it expects to issue a fix in an upcoming security update. The next scheduled patch release is Nov. 14.

As a workaround, the Microsoft advisory suggests users set the kill-bit for the affected ActiveX control. The kill-bit is a feature that prevents ActiveX execution in a user's web browser.